I had originally thought that this issue was due to mismatching regions, but after changing the region, I'm still coming across the following error when trying out an Amazon AWS sample found here:
AmazonServiceException: User: arn:aws:sts::[My Account
ARN]:assumed-role/Cognito_AndroidAppUnauth_DefaultRole/ProviderSession
is not authorized to perform: dynamodb:DescribeTable on resource:
arn:aws:dynamodb:us-east-1:[My Account ARN]:table/test_table (Service:
AmazonDynamoDBv2; Status Code: 400; Error Code: AccessDeniedException;
Request ID: BBFTS0Q8UHTMG120IORC2KSASVVV4KQNSO5AEMVJF66Q9ASUAAJG)
Everything is more or less the same, the only things I've changed have been changing the DBclient
region to US_EAST_1
, where my test table is hosted and modifying the Constants file using the info from the 'Amazon Cognito Starter Code' page that is generated through following the Cognito get started documentation.
For my Cognito_AndroidAppUnauth_DefaultRole
role policy I modified the default mobile analytics and sync service permission to also include access of all actions on all tables, existing or not:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CognitoPolicy",
"Action": [
"mobileanalytics:PutEvents",
"cognito-sync:*"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Sid": "DynamoDBPolicy",
"Effect": "Allow",
"Action": [
"dynamodb: *"
],
"Resource": "*"
}
]
}
So why is it claiming that it doesn't have permission when the correct region is used and the Unauth policy should allow for table access?
EDIT: Stacktrace when calling a method on the DynamoDB resource (create table), should it prove useful
com.amazonaws.AmazonServiceException: User: arn:aws:sts::[My Account ARN]:assumed-role/Cognito_AndroidAppUnauth_DefaultRole/ProviderSession is not authorized to perform: dynamodb:CreateTable on resource: arn:aws:dynamodb:us-east-1:[My Account ARN]:table/test_table (Service: AmazonDynamoDBv2; Status Code: 400; Error Code: AccessDeniedException; Request ID: SDELNSMLO10EV7CM2STC1R9RU3VV4KQNSO5AEMVJF66Q9ASUAAJG)
at com.amazonaws.http.AmazonHttpClient.handleErrorResponse(Unknown Source)
at com.amazonaws.http.AmazonHttpClient.executeHelper(Unknown Source)
at com.amazonaws.http.AmazonHttpClient.execute(Unknown Source)
at com.amazonaws.services.dynamodbv2.AmazonDynamoDBClient.invoke(Unknown Source)
at com.amazonaws.services.dynamodbv2.AmazonDynamoDBClient.createTable(Unknown Source)
at com.amazonaws.demo.userpreferencesom.DynamoDBManager.createTable(DynamoDBManager.java:72)
at com.amazonaws.demo.userpreferencesom.UserPreferenceDemoActivity$DynamoDBManagerTask.doInBackground(UserPreferenceDemoActivity.java:99)
at com.amazonaws.demo.userpreferencesom.UserPreferenceDemoActivity$DynamoDBManagerTask.doInBackground(UserPreferenceDemoActivity.java:85)
at android.os.AsyncTask$2.call(AsyncTask.java:288)
at java.util.concurrent.FutureTask.run(FutureTask.java:237)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1112)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:587)
at java.lang.Thread.run(Thread.java:841)
Worked with an Amazon engineer and it turns out the problem was in the policy configuration:
"dynamodb: *"
should be
"dynamodb:*"
It's amazing what a space can do.